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CLAIMS 



[Claim(s)] 

[Claim 1] In the computer network which a user can connect to a network alternatively from one 
location among two or more imagination locations It is the approach of offering the improved 
network security. The step which opts for the location which said user is connecting, The step which 
chooses said user's access level from at least two different access levels based on criteria including 
said imagination location, Step which connects said user to said network Step which opts for access 
of said user to a network resource based on the information containing said access level Approach 
characterized by having. 

[Claim 2] It is the approach according to claim 1 characterized by having further the step which is a 
step which assigns said user the Internet Protocol address, and is decided by the location whose user 
is connecting said address assigned. 

[Claim 3] The step which opts for the location which said user is connecting is an approach 
according to claim 1 characterized by having the step which assesses the Internet Protocol address 
assigned to said user. 

[Claim 4] The step which chooses a access level from said at least two different access levels is an 
approach according to claim 3 characterized by having the step which chooses said access level 
according to said Internet Protocol address. 

[Claim 5] The step which opts for the location which said user is connecting is an approach 
according to claim 1 characterized by having the step which determines that said user has connected 
with said network through a remote access server. 

[Claim 6] The approach according to claim 5 characterized by having further the step which 
determines whether said user has connected through dialup connection. 

[Claim 7] The step which is determined that said user has connected through dialup connection, and 
determines further the telephone number which said user is connecting, The step which chooses said 
access level including a step [ the list of registered users / telephone number / said ] The approach 
according to claim 6 characterized by having the step which chooses one level when said telephone 
number is in said list, and chooses level another when said number cannot be found in said list. 
[Claim 8] The step which opts for the location which said user is connecting is an approach 
according to claim 1 characterized by to have the step as which the step which chooses said access 
level chooses the access level corresponding to more access privileges with a limit when it has the 
step which determines whether said user has connected with said network through a remote access 
server and said user has connected through a remote access server. 

[Claim 9] The step which opts for the location which said user is connecting is an approach 
according to claim 1 characterized by having the step which determines that said user has connected 
with said network through intranet. 

[Claim 10] The step which opts for the location which said user is connecting is an approach 
according to claim 1 characterized by having the step which determines that said user has connected 
with said network through an imagination in-house network. 

[Claim 11] The step which opts for access to a network resource based on information is an approach 
according to claim 1 characterized by including the step which opts for access based on said user's 
rating qualification. 

[Claim 12] The step which opts for access to a network resource is an approach according to claim 
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1 1 characterized by including the step which creates the access token for said users. 
[Claim 13] The step as which said access token is related with each process of said user, and 
determines access to said network resource is an approach according to claim 12 characterized by 
including the step in comparison with the security information related with each network resource in 
the information in said access token. 

[Claim 14] The step which creates said access token is an approach according to claim 12 
characterized by including the step which creates a token with a limit from said user's usual token, 
and the step which deletes at least one privilege relevant to said parent token from said token with a 
limit. 

[Claim 15] The step which creates an access token is an approach according to claim 12 
characterized by to include the step changed so that it may be used in order to refuse only access 
which minded the security identifier for the attribute information on the security identifier in said 
token with a limit relevant to the attribute information on the step which creates a token with a limit 
from said user's usual token, and the security identifier to which it corresponds in said usual token. 
[Claim 16] The step which connects said user to said network is an approach according to claim 12 
characterized by including the step which attests said user through a questions-and-answers mold 
protocol. 

[Claim 17] The approach according to claim 12 characterized by the step which connects said user to 
said network containing the step which receives the ticket published by the ticket issue function from 
said user. 

[Claim 18] The approach according to claim 12 characterized by the step which connects said user to 
said network containing the step which receives said certification published by the certificate 
authority from said user. 

[Claim 19] The step which creates an access token is an approach according to claim 12 
characterized by including the step which creates a token with a limit from said user's usual token, 
and the step which adds at least one security identifier with a limit to said token with a limit. 
[Claim 20] The step which opts for access to a network resource is an approach according to claim 

12 characterized by including the step in comparison with the security information related with each 
network resource in the user information in said access token, and at least one security identifier with 
a limit. 

[Claim 21] In the computer network which a user can connect to a network alternatively from one 
among two or more imagination locations It is a system for offering the improved network security. 
The identification scheme which opts for the imagination location which user connects, and chooses 
one access level from at least two different access levels based on it, With the security provider who 
sets up said user's access privilege based on the information containing said access level Operation 
device in which the user access to a network resource is determined according to said set-up access 
privilege System characterized by having. 

[Claim 22] Said identification scheme is a system according to claim 21 characterized by assigning 
said user the Internet Protocol address based on said imagination location for which it opted. 
[Claim 23] Said identification scheme is a system according to claim 21 characterized by assessing 
the Internet Protocol address assigned to said user. 

[Claim 24] Said identification scheme is a system according to claim 23 characterized by choosing 
said access level according to said Internet Protocol address. 

[Claim 25] Said identification scheme is a system according to claim 21 characterized by 
determining that said user has connected with said network through a remote access server. 
[Claim 26] Said identification scheme is a system according to claim 25 characterized by 
determining further that said user has connected through dialup connection. 
[Claim 27] It has further the calling party ID device connected to the list and said identification 
scheme of the registered telephone number. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

(Field of invention) 

Generally this invention relates to the security model with which computer system has been 

improved by the detail more about computer system. 

[0002] 

(Background of invention) 

A current computer security system opts for access of the user to a network resource based on the 
authorization given according to a user's rating qualification (credentials). The model led by [ this ] a 
user provides increasing mobile / remote (mobile/remote) user population with big versatility. For 
example, the connectability of a remote access server and the Internet makes it possible to access 
without a user's making a user virtually conscious [ to the resource of a firm ] from the location of 
arbitration (transparently). 
[0003] 

Although this versatility provides both a user and a network owner (for example, a firm, a company) 
with an advantage, such usefulness that increased, and easy connectability essentially pull up the risk 
about access which is not permitted. Although the enciphered network communication prevents 
cable tapping, it still has the essential risk of allowing the remote access to a company resource with 
extra sensitive information. When resources (file etc.) are transmitted, in spite of being protected in 
fact, there is still possibility that there is a subset containing the extra sensitive information of the 
company resource with which a firm does not want the user approved by the forward type to be 
accessed from the location of proper arbitration. 
[0004] 

For example, while the user of a laptop computer is working on the airplane, it may display careless 
in the visitor who does not mean the strategy of the firm which has confidentiality very much. On the 
large new laptop screen of an angle of visibility, it is still more difficult to prevent other PAX 
peeping into the contents of the monitor. Similarly, since a mobile user's population is increasing, the 
theft of a notebook computer or loss has threatened the security of company data with confidentiality 
further. It may be stolen when a user's account and password are also maintained on the laptop stolen 
especially. As long as a user has suitable rating qualification, the existing security device (security 
mechanism) downloads a file from RIMOTO, and presupposes that it is easy to perform other remote 
actions, therefore contributes to these security risks and other security risks. 
[0005] 

If it says simply, a user will enable it to access the connectability of a remote access server (RAS) 
and the Internet from the location of imagination arbitration at a company resource. However, a 
fixed location (especially remote location) is not safer than others. For example, it is convenient, and 
since access is increasing, the file on the desktop machine in the office of a firm can be easily robbed 
of the file downloaded to the laptop computer. Similarly those who are not permitted may get a 
user's account and password, and possibility that they are going to access from a remote location to 
the resource of a firm by this becomes max. 
[0006] 

(Outline of invention) 
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If it says simply, this invention will offer the computer network security system and approach based 
on information including a user's location which access to a network resource has connected which 
have been improved. Usually, if the dependability of a user's location is more low, the access 
privilege assigned to the user will be restricted more. Identification scheme (discrimination 
mechanism) opts for a user's location about the security plan of some categories, such as 
distinguishing a local user, an intranet user, and the dialup user of each other. A security provider 
establishes the user's access privilege by setting up the access token for users etc. based on 
information including a location and a user's rating qualification. An operation device (enforcement 
mechanism) determines whether to use the access privilege set up for the user, and permit or refuse 
access to a resource. The access privilege based on a location can be restricted about a user's usual 
access privilege according to a security plan. For example, although a local user's process cannot be 
restricted more than the security information based on the user in a user's usual access token, on the 
other hand, connection of the same user through dialup connection may have a process with a limit. 
Discernment based on a location is performed by using a desirable token with a limit and restricting 
access of the user who has connected from the unreliable location. It is desirable to perform 
discernment of the location base twisted for using a token with a limit and restricting access by the 
user connection from an unreliable location. 
[0007] 

Other purposes and advantages will become clear from the following detailed explanation made with 

reference to a drawing. 

[0008] 

(Detailed explanation) 

Operating environment as an example Drawing 1 and the following considerations have the intention 
of offering easy and general explanation of the suitable computing environment where this invention 
is realizable. Although it is not required, this invention is explained within the general context of the 
instruction in which computer activation of the program module performed by the personal computer 
is possible. Generally, a program module includes carrying out [ which performs a routine, a 
program, an object, a component, DS, and a specific task, or provides specific abstract data type with 
an instrument ] thing implementation. Furthermore, if it is this contractor, it will be understood that 
this invention can perform other computer system configurations containing a hand heald device, a 
multiprocessor system, the programmable electric product for consumers of the microprocessor base, 
Network PC, a minicomputer, a mainframe computer, etc. This invention can be performed also 
within the distributed computing environment by which a task is performed again with the remote- 
processing device linked through the communication network. In a distributed computing 
environment, a program module may be arranged at both a local memory storage device and a 
remote memory storage device. 
[0009] 

When drawing 1 is referred to, the system as one for realizing this invention includes the system bus 
23 which combines the various system components in which a general-purpose computing device 
contains the system memory for the processing unit 21, the system memory 22, and the processing 
unit (processing unit) 21 including the general-purpose computing device of the form of the 
conventional personal computer 20 etc. A system bus 23 can contain which of the bus arrangement 
of some types containing the local bus which uses the architecture of arbitration among a memory 
bus or a memory controller, a peripheral bus, and various bus architecture. System memory contains 
read-only memory (ROM) 24 and random access memory (RAM) 25. A basic input/output system 
26 (BIOS) is stored in ROM24, and contains the fundamental routine which is useful to transmitting 
information between the components in a personal computer 20 at the time of a startup etc. Further, 
although the personal computer 20 is not illustrated, it may include the optical disk drive 30 for 
reading from the dismountable optical disks 31, such as the magnetic-disk drive 28 for reading from 
the hard disk drive 27 for reading from a hard disk or writing in, and the dismountable (removable) 
magnetic disk 29, or writing in and CD-ROM, or other optical media, or writing in. The hard disk 
drive 27, the magnetic-disk drive 28, and the optical disk drive 30 are connected to the system bus 23 
by the hard disk drive interface 32, the magnetic-disk drive interface 33, and the optical drive 
interface 34, respectively. A drive and its associated medium which can be computer read offer the 
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storage of a non-volatile of the instruction which can be computer read, DS, a program module, and 
other data for a personal computer 20. Although the hard disk, the dismountable magnetic disk 29, 
and the dismountable optical disk 31 are being used for the environment as an example where it was 
explained here, if it is this contractor, it will be understood that the medium which can computer read 
other types which can store accessible data by computers, such as a magnetic cassette, flash memory 
card, a digital video disc, the Bernouilli cartridge, random access memory (RAM), and read-only 
memory (ROM), can also be used in the ring precincts of a temple of operation as an example. 
[0010] 

Some program modules containing an operating system 35 (preferably Windows NT), one or more 
application programs 36, other program modules 37, and the program data 38 can store in a hard 
disk, a magnetic disk 29, an optical disk 31, and ROM24 or RAM25. A user can input a command 
and information into a personal computer 20 through input devices, such as a keyboard 40 and a 
pointing device 42. Other input devices (not shown) can contain a microphone, a joy stick, a 
gamepad, a satellite dish (satellite dish), a scanner, etc. Although these and other input devices are 
often connected to the processing unit 21 through the serial port interface 46 combined with the 
system bus, other interfaces, such as a parallel port, a game port, or a general-purpose serial bus 
(USB), may connect. The monitor 47 or the display device of other types is also connected to the 
system bus 23 through the interface of the video adapter 48 etc. Out of a monitor 47, a personal 
computer contains other circumference output devices (not shown), such as a loudspeaker and a 
printer, typically. 
[0011] 

A personal computer 20 may operate within the environment connected by network using the logical 
connection to one or more remote computers, such as the remote computer 49. the remote computer 
49 — other personal computers, a server, a router, Network PC, and a pier — although it is - device 
(peer device) or other common-network nodes, and there are many elements typically explained 
above in relation to the personal computer or all can be included, only the memory storage device 50 
is shown in drawing 1 . The logical connection drawn on drawing 1 contains a local area network 
(LAN) 51 and a wide area network (WAN) 52. Such a network environment is ordinarily looked at 
by office, a whole company-computer network, intranet, and the Internet. 
[0012] 

In case a personal computer 20 is used within a LAN network environment, it is connected to a local 
network 51 through a network interface or an adapter 53. In case a personal computer 20 is used 
within a WAN network environment, it establishes a communication link on the wide area networks 
52, such as the Internet, including a modem 54 or other means typically. Although a modem 54 may 
be put on the interior or the exterior, it is connected to the system bus 23 through serial port INTAFE 
46. In the environment connected by network, the program module drawn in relation to a personal 
computer 20 or its part may be stored in the memory storage device of RIMOTO. Probably the 
shown network connection is a thing as an example, and it will be clear that other means to establish 
a communication link between computers can be used. 
[0013] 

Location discernment According to one view of this invention, the approach and system which opt 
for access to a resource based on a user's location (to everything but a user's usual access privilege 
based on a user's rating qualification) are offered. For example, although their perfect access 
privilege can be granted to the effective user determined that a local safe location will require, on the 
other hand, the user whom the location of RIMOTO requires can grant an access privilege with a 
limit. Furthermore, the amount of a limit can also be changed based on the type of remote access. 
[0014] 

As an example, drawing 2 shows many locations which a user can connect to the company (local 
machine (plurality is good) is included) network 60. A user can connect with Computers 621-62n 
through a local area network (as shown in drawing 1 , they are LAN51, the network interface 53, 
etc.). Other users may connect with the office servers 641-64n of RIMOTO for example, through Tl 
connection, and may connect the user of further others through the Internet through the imagination 
in-house (VPN) 66. Still more nearly another user can connect by many approaches from other 
locations (not shown) through the remote access server (for example, 681-682) of the number of 
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arbitration. 
[0015] 
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TECHNICAL FIELD 



(Field of invention) 

Generally this invention relates to the security model with which computer system has been 

improved by the detail more about computer system. 

[0002] 

(Background of invention) 

A current computer security system opts for access of the user to a network resource based on the 
authorization given according to a user's rating qualification (credentials). The model led by [ this ] a 
user provides increasing mobile / remote (mobile/remote) user population with big versatility. For 
example, the connectability of a remote access server and the Internet makes it possible to access 
without a user's making a user virtually conscious [ to the resource of a firm ] from the location of 
arbitration (transparently). 
[0003] 

Although this versatility provides both a user and a network owner (for example, a firm, a company) 
with an advantage, such usefulness that increased, and easy connectability essentially pull up the risk 
about access which is not permitted. Although the enciphered network communication prevents 
cable tapping, it still has the essential risk of allowing the remote access to a company resource with 
extra sensitive information. When resources (file etc.) are transmitted, in spite of being protected in 
fact, there is still possibility that there is a subset containing the extra sensitive information of the 
company resource with which a firm does not want the user approved by the forward type to be 
accessed from the location of proper arbitration. 
[0004] 

For example, while the user of a laptop computer is working on the airplane, it may display careless 
in the visitor who does not mean the strategy of the firm which has confidentiality very much. On the 
large new laptop screen of an angle of visibility, it is still more difficult to prevent other PAX 
peeping into the contents of the monitor. Similarly, since a mobile user's population is increasing, the 
theft of a notebook computer or loss has threatened the security of company data with confidentiality 
further. It may be stolen when a user's account and password are also maintained on the laptop stolen 
especially. As long as a user has suitable rating qualification, the existing security device (security 
mechanism) downloads a file from RIMOTO, and presupposes that it is easy to perform other remote 
actions, therefore contributes to these security risks and other security risks. 
[0005] 

If it says simply, a user will enable it to access the connectability of a remote access server (RAS) 
and the Internet from the location of imagination arbitration at a company resource. However, a 
fixed location (especially remote location) is not safer than others. For example, it is convenient, and 
since access is increasing, the file on the desktop machine in the office of a firm can be easily robbed 
of the file downloaded to the laptop computer. Similarly those who are not permitted may get a 
user's account and password, and possibility that they are going to access from a remote location to 
the resource of a firm by this becomes max. 
[0006] 

(Outline of invention) 

If it says simply, this invention will offer the computer network security system and approach based 
on information including a user's location which access to a network resource has connected which 
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have been improved. Usually, if the dependability of a user's location is more low, the access 
privilege assigned to the user will be restricted more. Identification scheme (discrimination 
mechanism) opts for a user's location about the security plan of some categories, such as 
distinguishing a local user, an intranet user, and the dialup user of each other. A security provider 
establishes the user's access privilege by setting up the access token for users etc. based on 
information including a location and a user's rating qualification. An operation device (enforcement 
mechanism) determines whether to use the access privilege set up for the user, and permit or refuse 
access to a resource. The access privilege based on a location can be restricted about a user's usual 
access privilege according to a security plan. For example, although a local user's process cannot be 
restricted more than the security information based on the user in a user's usual access token, on the 
other hand, connection of the same user through dialup connection may have a process with a limit. 
Discernment based on a location is performed by using a desirable token with a limit and restricting 
access of the user who has connected from the unreliable location. It is desirable to perform 
discernment of the location base twisted for using a token with a limit and restricting access by the 
user connection from an unreliable location. 
[0007] 

Other purposes and advantages will become clear from the following detailed explanation made with 

reference to a drawing. 

[0008] 

(Detailed explanation) 

Operating environment as an example Drawing 1 and the following considerations have the intention 
of offering easy and general explanation of the suitable computing environment where this invention 
is realizable. Although it is not required, this invention is explained within the general context of the 
instruction in which computer activation of the program module performed by the personal computer 
is possible. Generally, a program module includes carrying out [ which performs a routine, a 
program, an object, a component, DS, and a specific task, or provides specific abstract data type with 
an instrument ] thing implementation. Furthermore, if it is this contractor, it will be understood that 
this invention can perform other computer system configurations containing a hand heald device, a 
multiprocessor system, the programmable electric product for consumers of the microprocessor base, 
Network PC, a minicomputer, a mainframe computer, etc. This invention can be performed also 
within the distributed computing environment by which a task is performed again with the remote- 
processing device linked through the communication network. In a distributed computing 
environment, a program module may be arranged at both a local memory storage device and a 
remote memory storage device. 
[0009] 

When drawing 1 is referred to, the system as one for realizing this invention includes the system bus 
23 which combines the various system components in which a general-purpose computing device 
contains the system memory for the processing unit 21, the system memory 22, and the processing 
unit (processing unit) 21 including the general-purpose computing device of the form of the 
conventional personal computer 20 etc. A system bus 23 can contain which of the bus arrangement 
of some types containing the local bus which uses the architecture of arbitration among a memory 
bus or a memory controller, a peripheral bus, and various bus architecture. System memory contains 
read-only memory (ROM) 24 and random access memory (RAM) 25. A basic input/output system 
26 (BIOS) is stored in ROM24, and contains the fundamental routine which is useful to transmitting 
information between the components in a personal computer 20 at the time of a startup etc. Further, 
although the personal computer 20 is not illustrated, it may include the optical disk drive 30 for 
reading from the dismountable optical disks 31, such as the magnetic-disk drive 28 for reading from 
the hard disk drive 27 for reading from a hard disk or writing in, and the dismountable (removable) 
magnetic disk 29, or writing in and CD-ROM, or other optical media, or writing in. 
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IStSEfctt LTJffiBS LTl^£ £ <h **3£-T * £ £ ZftWLtTZnmm 2 5 teiBtt© 

[waaa 2 7 ] wmms*mnm*§<D v x h fc^rj-^iBi^su^ic^^ti 



(6) 
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7-^^CDiI^@^raLT^^n^HUlBlL-^-(D7 7 ^4zX^tCj:b^LTct 

-r^«a<3l2 1 tClBtg^i/X^Ao 

t*#«fr«»*^2 1 lcfBig<7)->XxAo 

[|f2&H3 1 ] MIB-b+n 'Jt 1 ^ • 7p/K^ 89E^-1f-©IWB* 

T^W3<J12 1 IciBig^^XxAo 

*y h«7-* • 'jy-x^<07 7 ^Hzx*^E-rsc^*1#«<!:-r*»*^3 2tc 
IBtK^-yXxAo 

7\ fulB7z^;U^7 7 <7 4zX^jl^^iJPS-r^^5iT^oTs 
S * x y =r * =r * ft 6 § tt IX o T 7 7"T ; U 'v T 7 * -fe X T 3 X =r y 7 1 s 
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•trx • U^;Ufr6iiuf3x>7 1 Y5 1 <Ji<D7 7 ^-bX • U^^I^t^Xf-yyi 

jtulBT^-bX • U^U^trlffEtcS^Tx huIBx^t 1 ^ x-fOfulBX T'-f 
y U'v to T <7 -b X % X =r v Zf 

[|f^Jl3 5] BUHBXV^-f x-Ytes Ui-h • ZiykfiL-^ • v'X/A 
(D^P-bXT^-pT. fu§B'>7£< ^^OtDM&^T^-bX • U^/Ufr6fulBX 
vf-rf-rffl^Z^-bX' U^/U^jgJRf^MIBXx'y^s buIBp-^U • -? 
-/XOZfn-tiXlzttLZtemKDT't-tzX • U^OU^fODMaT, SuHBU^- h • 

:/£^tr£££#^£?-£lf;£iI3 4 KSBe<D£>£o 

[M^JI 3 6 ] luIBx > t- 4 =r 4 Suf 3 p V t: 0 il - * • +7— / UzTUfT 
LTl^X^uy h-e^Ux ful3^&<£fc2^<7)g&;57 7 ^-trX • 
buhBxVt 1 ^ T^fflOT^-lzX • l"<jls*miR-?2>XTv7tes X^'J^hKtt 

JS3 4tCfB«6OT>£o 

[»^J13 7] huIBxVt 1 ^ t 1 * «s SulBPVfcfiL-^ • +7"-A±T1SMI!j 

eSul3x>7 1 ^7 1 'rffl^7 , ^-bX • U'^U^jS^-T^Xt 1 ^^^ FTP+t— M 

mmm3 4 U:=B«CD7j>£o 

[M3<^3 8] fulBx>7 1 i'7 1 ^^ 7n^>©7nt7^ l Js bu§3'> 
&< <i:t2 0(DS75:^7 7 ^-t!X • U^;Ufr6jiul3xV7 ; ^^ffl<7)7 7 ^-bX • L> 

X- U^;U££UUMaTx ^P=!r5>(7)7 p p-trXffllcm2<D7 7 >7-bX • U^/l/£S"jy 
1 T 3 X t> £ £ <!: t ^ff^JS 3 4 tClBit^^^o 
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[000 1] 
[0 0 0 2] 

ij!ft^=]>b:°a-* • -b^zLUxi- • ->X7^(t :i-+f-<7) (cred 
entials) U:^T^*£>ttfcg^Kg^Tx ^7h7-^« 

/Ut-h (mobile/remote) a—tf-APtC^^^Iita'tt^^-r^o /c£*. 

transparently) TV-teXT t^^J^Zf 
[0 0 0 3] 

[0 0 0 4] 
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-T/U- a-+f-(0APttl8^:LT^S©T\ /-h?V* • p>t° a 
PSUv ^(D-t^D-VT^mffi (security mechanism) te, ^-1^^67 7^ 
[0 0 0 5] 

©mtCW^.«; U^E- h • T^-fcX • +f-M (RAS) fccfct/H' h 

(Dmmmts =L-v-mm&r+temon^-i'a>frzfeMvv-xiz7<7-£ 

XTZZ&vlzTZ, LfrU -^p>t— >a> Pftlcy^- r- • p$— ~>a 

?n^^A^ii-+f-co7 7 7^'7v hfecfc^/Kx^- rat ^m^tiv. zn 

[0 0 0 6] 

•bX<ttt«fcy#JRB*+i«o mmm (discrimination mechanism) te N P-fc/U 
teEBU?"5&£s lKo^(D^5 1 d , U<7)-b+iLU7 1 'i'7jtftc^LT3.-+f-(DP 



(10) 
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£T£&£U:J:oT\ *f-©7 £$t±rt3 0 IW (enforc 

ement mechanism) l* % ^^J.-+f-(7)/ci6tciS^*n/c7 7 ^-trX*t^^ LT 

>tf:S-3i/>fc7* -b+a'Jx-f^rtUcfieoTs :l— y-©ffl?is©7* 

[0 0 0 7] 
[0 0 0 8] 

Wit. JS-Vi-Jl' • P^tfzL-^tCcfc^TH^tl^yp^A • ii>2-;l/3g: 
(c x ^p^A-^Ev-zl-;^ ;U-^X -JuV^U. tT^i^K 

-b-y+f • ^-xo^p^-^ syVejmrjimmmmnn.mFas vv-v p c. 
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[0 0 0 9] 

iU2 2, fcctMSlL-'y h- (processing unit) 2 1 <Dtc^sb<D^X^U • * 
t 'J ^ttrl^fDv'XT A Wi^t5">XT A • AX 2 3*^fco ~>X 
fA'/U2 3(i, ^t'J • AXS/ctt^'J -ZlVhP— 7, JUiZLKX, 
©AX • 7-*T<7?*<D?%&Ml<D7-*T<7?*%:fizmT2>n-j3l\/ • MX 

=E i Jits ffiftmvwm^^v (rom) 2 4&&xf^y#u • T^-trx • ^t'j 

(RAM) 2 5*$CJ 0 S*Attl^I">X7 L A2 6 (BIOS) fcfc* ROM24fi 
lC»«*n, iBtt^ft^tC/t-y^-/U • ZIVfcfiL-* 2 0 rt©«fi8£JR©HTHf 

-*2 0 til*- 6tC, HCT^tlTttUtftl/ttf/X- K7VX*frSBE*ttiLfcy»# 
&h,tcV?2>rc&(D/\- KxVX^ • K7^2 7, aUftUHfett (removabl 

e) ^m^v x<7 2 9 frzmfr-m Ltc v s*&A/7c y T^tdbcomfair^T.^ • 

tVX<7 3 1 A^e^liiLfcy«^^A,f£y-r^fci6©7 l c7 : VX^ • K^73 
0 M-KtVX^- K7-<72 7, SBfiTVX* • 

2 8, fc^rf^vx^ • k^<^3 ott*-tt?tu n-K^yx?- K^f? 
T^K^-r^- o^-xx-x3 4tc c fcoT^n^ni/X7 i ix • /U2 3izmm 

/\°-V^-/U- □Vtfi-^2 0Ofcd6lC3VkTiL-^SBI*3» l jRrilB^, 
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X<7, — r«*-h'Jy^ vV^^^-bX-^t'J (RAM) , m 
dmvmmttV (ROM) ft£© % □ VL°:i-*tcj;oT7 7 ^Xprt&&x- 

* sffto * -r zf<o =i v t? - * m&r y RTSE&iSttfcfly t l t ©»fE 

^P*g TH»B T? * 3 C £ 3#S ft* 5 3 = 
[0 0 10] 

T<<y?- *s7stU3 5 (JffKttWi ndows NT), 10 

tf/\-KrYX^ IM7<X^2 9s tgtVX^SU R OM 2 4*fd*R A 
M 2 5 iCfcifrtT^o IL-+f-tt, HMO^WVt^V^ • 

YX4 2^i:M7/\VX?^LT/\-yt/b • ziVfcfn-* 2 0 ten W K 
fc«fctflt«*AJjT?*3o ffecDAT^MVX (HI/THi-r) It. -?-<<7n7*>, 
ya-fXx^y^ y-ik'/^K, m^h-^yi/i (sate 1 1 ite dish 
) , x* + *&£*$trC£#T££o £ ft 6 <fc tftft© A2i 9i W Xl&L if L 

h 2 1 UijgJJBS-ftTl/^tf, /\°^U;U • K ?-U • FSfc 
tesFUBS/'JT 7 /!//** (USB) &£<DTO^>*-7i-XtC<J:oT&^ftT 

7W4 8f*<!:'0-<>^-7i-X^LT>'X7/. • / U2 3 IC&toSftT 

tf^uv^&^offtoiBiaa^x/t-rx (i^W) £#t> 0 

[0 0 1 i ] 

/\°-Vt-;U • 3>fcfa-*2 0«\ 'J^- h • 3Vk°i-^4 9S«i:lOffc 
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•ziVbfa-^x Jl/-*s *9h7-^PC, bV-T^VWX (peer d 

evice) £fc«:fft<7>#il*v h?-* • /- KWA ^WlCtt/\°-V^;U • 

^tu-xh u— s> • f/ux 5 ocowgj i ics^nri/^o m 1 

icftfrftfcaiSiftBSWu □-*;Ux'J7 7 -*y h?-^ (LAN) 5 1 fc<fctW£ 

^7h7-? (WAN) 5 2?tt? 0 Z.O£^tty \»V-?i\:mm\Z*7<< 

tc^51tt:JI6ft3o 
[0 0 12] 

^ -O^-^y h ft <!fJ£«^y h '7-^5 2 ±T*5iffll*«3ir*o ^54 
6 ^LT^XT/i • /U2 3 ICffiWSftTl^o *w h V-WlZtircZmV 

co m vmm u > * «• ^^<d#© *> ami wcttfws^wa. 

[0 0 13] 

*^^co-^lc<fctitt\ (ZL-+f-co«^l^tca^fciL-+f , -coiimco 
mens, £6U:> frJPlcOmteU^- h • T^HzXO^-f^teS-^TM; 



(14) 



<tta 2002-51 8720 



[0 0 14] 

MtLZs BUtta-tf-tf (n-TjyU-vi/V («&rT) *^tr) ±M*v 

(Ell lc^?tlfc«fe5lCL AN 5 1 h?-<7 • Y>^-7i-X5 3 

P-fcyl/i'JT 7 • h l 7-*£fl*LT=l>tf:L-*6 2 1 ~6 2 n '\Jg^ 
T*C fte<7)ZL-+f-tifc<h^«'T 1 Jgtf&fcttLTU^- h©t7^ 

x • tr- Me 4^6 4 n ^iu ^eicfte^n.— tf-M^^^rt (V P 

MTx fft<J!)P$— >a> (El^-a-f) ^6^<<7)73>iTJg^T^-^ 0 
[0 0 15] 

*mmzm ! $?ni£. v^-i • uv-x^7 7 ^Hzxr£/c#>u:iL-+f- 

->3VKfflW«. /c£*.«\ L AN 6 2 1 £:ftLTP-7J/U • V-»6 OK 

6 4i*^Lfc"l-+f-lCtt^<66^JIS^#©4t^ RAS 6 8 1x 6 8 2 x £ 
fcteV P N 6 6^LfcZL-+f-tC(i*^y§iJPI^^7 7 ^-bXti^^6n^ 

3 o 

[0 0 16] 

-te&mcoZ'C f(onmv— ex^mr*. <e« w & w * □ <r - -> a 

R A S 6 8 2 ^LT*'^ h7--? 6 O^if^So |WM§K> n-filU 
• ^-»6 Ofr6£t3&ft OfoSWte) ai^Rrt&l&afc* r^>h7^7hj op 
5/a>^6»«fi«*i^36i«*So RAS6 8 1x 6 8 2 ^7 7 yU7 7 ^ 

y • =L-+r-n. t i mm&frLTV^- h • *7-rx6 4it^lt^£il 



(15) 
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l^J;-5&P$— ~>a>, D.-*f—tmtttZZ. ^a 
7V3»&te«U i>a>KHjlL7V< 6^©»f^*"rs*&ti 

arr^T© ras zL-^-^Tttt^mTzm^&z) „ 

[0 0 17] 

tc, zcifcia^nfcJ;?^ I pt 7 KUX©p^-*>a v»JlcMLTl*2o 
(DSftSHitfSS. £1 (D®m*<< V*-*v V • P^r- ->a> • +f— tfX ( 
I LS) 6 9tC»^T*5*Js %}Ommzm*<Dn'r-i/a>iZ^Z><7?'(7 7 > 

a**iTt^*) ^syyarsc^ ^-LrffiHSttOcfeyis^p^— *>a v* x 6fg 
iit©j:yii> i PT^iyx^mmr^z-t^m^tcdbicmmT^^iu-^m 

[0 0 18] 

S) «l«6 76\ ^CDZL—tf-^U^E- h • T^-tzX • (RAS 

snfc«fc3^ RAs^ut- h • i-if-op^v^Bats^tv ras 

te=L—*f-iz<f>$-*v h • 7p h pyU ( I P) 7 KUXWjy^T* CM 
— tf-fc«fctf I P7 7 KUX£ I L S (-T>*-*y h • P^— >a> • It-tfT. 
) 6 97f»t«o H3 0afttiBltc^-r«fcai«: % I P7KUXAM LSKUXh 



(16) 
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ZnT^ZmS U7'y^3 0 2) % =L—*f-l*Z(DRAS<7 : 7 7,$*f\-LTn 

73 1 0) tt£te<fcoT* *JKtt#©7**-feX*«S*l*. 
[0 0 19] 

LfrU JL— tf-© I PT KUZtf I L S 69ft?RAS I P7 7 KUXtL 

#J<!:LTx 2-+f-^3-P7y^RAS+t-/\^LTP^>U 
TOK^LTCharlotte (/-XAP7'Tt) K*^ WT^-fe 
XLftL^ Char lotte RAS I L S\,ZZ<DU-13)\, I L SIC 'J 
X h?nfc3-Py/\°<DRASg^£^LT^&l\ LfctfoT, P-*/U L 
S 6 hStlTVftl/^— If-teOlvCtt* a— : 5^aV*» 

[0 0 2 0] 

3 0 6?i^?n«. £<D I P7 7 KUX£\ p-2j/U- v-»KJ;oT8ijyMaT 
6ftfcP-ft;U3\ ffiHi:^ I P7 7 KlxXOttHrtlcftiNi^ n-+f-lip 

7>y73 0 4t£7Jii£U CCT^IB^cfcdlcU^l/^jliT^^t^lS^ti 
3 0 LfrLJ 7 Kl^X#P-*/U£flMaT*#£ I PT KUX<OKBBF«glc 
il— tf-liP-*;U-et**oTL3b xl fcR AS*7>LTJ««cLTfe6-rs Lfc^o 
Tlli?t5o C©«fc3fc:i— WTlc|¥ttllcBi^*n^d:?^s 3.- 

U^^ttfflLTT'^-b^JltWJy^T* (777^3 1 0) a£K«fcoT* >I 

[00 2 1] 
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[0 0 2 2] 

CDU^/Ki^fc, £<*W&Hz*:iy^©*£*lv:o^Tfcjra**i?"*o feet* 
[0 0 2 3] 

±IB<D««t±K*«:x 2-3(DUA:/UOp-*;Uft«g!J«|«6 7«-a«-r*o Lfr 
U ^»0«ffi^;u$ij^d:ytti^<!|ffl5Mkt-*7"c46lc, I P7HV7^ 

ttHrtW-zUCcfeoTftiy^TStiSCi:*."^*^ RAS+7— /^i^Stcp 

»»#nTi^**^t»»*ctti:aa*nfct\ l#u j:y«ii*N/«Mt*ii 

flfTSfftKU K*fV • +7— /ttC*5l>TflffliT?M I P7 7 Kb3JSH£*£irr5 
chx Bs^tr l L S 6 9 7f i y ^t5«fc y RHtf ^54i\ *6tCx &l;:BJl 
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[0 0 2 4] 
[0 0 2 5] 



rani 





P — i/ a ^ 


I P T K co|5H 


ft Hfil^/U 1 

ft *S 1/^/1^2 
ft ^^^/l^3 


a — # ;V ft 

R A SffSJ^-'tP- 


111.22.0.0-111.22.255.255 
111.24.0.0-111.24.127.255 

111.24.128.255-111.24.255.255 

111.25.0.0-111.25.255.255 



[0 0 2 6] 

#l<hLTx E14tiiL-+f-*^R AS+f-/\' 682) ^^^1^ 

$70^RAS^-/t6 8 2 ^?^U H2(DlL-+f-^^$/cf*^P'y^ 

m rt ? n/c j. - +f - * c £ ^si-r § - +f -if ii^ m? % t\ m 3 <d=l - 

Z><DfrV&2> a 7<7-t7> - [s^ily&Jk'fctZtclsb^ R A S V— 6 8 2l**"f 
l^m-S) s RAS+f-M6 8 2 ^ x-^^-X (*fcttx-^;W 7 21CKIN 



(19) 



*&m.2 002-518720 



zL-+f-d; y y v-x^o«k y ^fcT^-fex^-^t^c £tfpimiziz2> 0 

£6tC N 7 0 1 <£IL-+f-, 7 02^^-+f-^>^«v h • IL-+f7 0 3 <7) 
WKMKfrfrfoS-r* yxh • «f 7 0 3 J; y*>*^&7^-tzX*f £*rt£ 
ilii^pr^C^^o /c£*.«\ 'Ji- h • =l>tfa-^7 0 3 <DZL— 

it- M7 6±<D7 7'^;u^\c»z^-trx(D^i i FRi*n^*\ — ^mom^- 
-M7 8'\<DT<7-tz&m?%pjmviLtf&z> 0 mmz, n^s§*swtn 

fa—tf-- nVfcfa-* 7 0^ ftliM+J— M*7 8, fed: 

p ^ - 5/ a > 6 PflfttJ L T— g|3tf)fi£itM I/O) 7 7 -< ; u tc j 7 * -fe X f £ C <!: 

(*6ic«6<on.-if-ilttKffiicJ;-pT*JifiTjrns) x LfrU»ffi 

[0 0 2 7] 

sn**S6*^"r^ i?ji:iT0in0^tt»« ms^x^y^sooTn— t- 

#P-7^U • *z/>6 0*ftLT&ffiLX^Zm&s Xf775 0 2Tfl«U^ 

mmiy^Mzm^x (&#mz) suy^ren^o utru p-7j/I/-^» 



(20) 
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ftfc I P7 7 KUXte, P-£/U 'Oh^'H' :i-+fcD/c&U:{£#£ft/c7' 
[0 0 2 8] 

LfrU 2 0T^-+f , -*^V7;U7 7l >y}i^7>LT^LT^ 

5<h^£il*tifc^x X^-y^s 2 O^r'y^s 2 4tc#il£U ^tffrtoft 

tg^^n^n^s^c £#?§&?75rfi3-?£3 a 0 Lassen— >f-# 

RltiJb^^^T 1 ^ hU j*^f«o mffi7 2b\ tMfcW&tettjftEIWte^P 

£\ 2 6itX^yy5 3 2£&ttU K7I P7KU^ RAS 

[0 0 2 9] 

nZM-Stf&Vs fctZtf, =L-+f-xt ftt&J 3" ft fc n. - +f - te, ««/c««A 
[0 0 3 0] 



(21) 
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vZ?5 3 0teX^y75 3 4tC#H£U C £"CM P7 7 KUX^WJziVtfa- 
^KHiTS R A S ^^^^zl— tf— g6HlF*g-rSU V ST6ti^o #-5§#;gt;mci£§i 
T*nT^3 £5*;££tt&6 N o fcJi-£\ Xf7^5 3 OlUf-y^S 3 2lC#il£L 
, CCT I P7 7 Kl^X^R AS*^lL-+f-ig|ilF«gTiiJtl^T6n^ 0 P$— 

v a ymmyutt/WM 7 i te^Tm 5 ©Xt7 y 5 o 4 ten y s c z. t*J 

[00 3 1 ] 

777^5 0 4 7 I P7 7 KUX#P-7j;U • «<Vh7^ h • H-TO^HI^ 

con— tf-tcoi^T 1 tmmznZo i pt 7 kuxj^p— *;u • <<> h^*v 

h • IL— l7*(Z)l5HrtlC3B:^*&s X7775 0 8tt*OttH3B«RASaa»3flL 
[0 0 3 2] 

[0 0 3 3] 
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**3 WtLTs V— l%±.(Dffe<07 7^)\'*Um?Z>ZL£*:3£A.TZ>- 
% 0 ZOyr-CMt. 'Ji- hSMB77-<Jl/ • TtilXs lh?Hff LT 

[0 0 3 4] 

ows NT-tr^aUT 1 ^ • ^x/I^BMbU fiS3i"T^o LfrU W i 

ndows NT^U-^-r>^* ->X^^|®^-rSitEttft<, ffiK* * 

ff*E©«i«T»ftf^ u *m*5-z.% zttfmmt *tiTV£„ 

[0 0 3 5] 

— Aftte% Wi ndows N TtJ-^U-t 1 ^ V?" • ^XxATlix ZL-+f-te 
yp-tX (^t/f K) ^LT*>Xf/xOy V-XlCT^-bT/r^C 

v vtem&immtnfc-sti. ^mmmizyn*xtw&o *fc> windo 

[0 0 3 6] 

l-if-^W I ndows NWU-f'fV^' S/X^ltP^*>LB 

T£?lZ s tf- • ^-XOT^-trX • V-?y 1 0 Ote, U s e r A 

ndGroups7-f — ;U K 1 0 2 &^ts 0 Use r AndGroups7^- 



(23) 
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s i D) i 0 4^tt?h-7>i ooti$fc, *©n.-if-fc*jys!|TSnfctf 

Y^7i-X (API) ^LT'>7t/x • ^Py^^KJtf*^*-^** 
[0 0 3 7] 

^tU^t^OU • d-^x* h^®a*SXy/»#&*7 7 *'feX*W*&£) . 
*5<fcO\ 27-*;U • U^/U?«Miitttt6*ifc I — <7>1 OOW^i^ h • 

T^i>>-i 1 4tca#t-r*o *y^i^n 1 2tt*nic«ittW'snfca- 

1 4ti-tr+a';5 l ^SBai?1 1 6fcJ:t»-^>1 0 Ofc-fe+aUT^aMtl 1 

8Kif#rrSo ■te+ayx-resw i i 6©rt*», &i^cte*?^x? ho 

V h l J-<DT<7-teXMW l J7> h (ACL) 1 2 0*^ §X>hU-lCO^T 

>&rcim : g-$nrzT<7i'3» £^t? 0 &x> hu-w^y (S5*f=ttw 

pj) -OS**— 77^; -fe+a'J^-rKgU? (S I D) fc<fct>T^-t27^ 

tf'> h • ^x^oj&t^^ *tfy K*tf RTKSMS-r* i ooo 

1 8teh-^>1 OOrtcni'Jf-f I DfccfcU-VP-tzX 1 1 OK<fc 
oTI^n^7^*>a> («KrT) ©^7**ACL120rt©lVh'J-t 

7 7 ^^xo^^y6^oiL-+f-^rcti^;u-^c^FRlRjtg^it-a> tf^x* 
hi 1 2^/\VKMi7°atX1 1 OtcBg&nStf* *OflfiO*&J4, T^-fc 



(24) 
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[0 0 3 8] 

mtLZ, 3.-+?-* r^g+j ?)\,-7<D*>JK-tLTmi\T2> b-9>* 

tX(iIS?n§o $hm±<0&&fr£>s -tr+^UT 1 ^ • ^x'y^te^P-lzXI 1 
Ojb^-fTh^x^ h 1 1 2 (fFJ$£ feted <) tcT^-fcXL^il^/c^ 

[0 0 3 9] 

-tr^gx-rM^I 1 6te$fcs VXr^ACLffdiSACL 1 2 1 £^ 
l*fr&Lrc*^ls-^3><D£%£>*&&TZfr*7rsU xv h U-|*l<Dtf 'y h 

Tt^M^f^T^^o ^(DyT^)V • KcHTt^S AC L 1 2 1 

T^iTT 3 <h l/oT'fcs ^(Dtf^ U— > a >telB^£ tl3o 
[0 0 4 0] 

ACL 1 2 0lt Cr^TO^iJ^fcteSfK^nfc^UtcMLT) • 
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ACL1 2 OrtKUX h^ftfcl HJ-MU ^ r^/U- 

^3J ©^V/S-tCtf^i* h 1 1 2^\(D7 7 ^-trX^pr'r^A\ AC L 1 2 
o F*g<E>ffe£>xy h 'J r^u-y 2 4J ©T^T^T^-fcX^^-r^ti 
£#&3o 0 0^ r^VU-^24J -b+^'Jxf I D£^A,W3*§-& 

& T^DENY (JES) x> h'J-^AC L 1 2 0 £>M®U:B< &£Hc<£ 
oTx ^U-T^^ TDENY ALL CT^TJgS) J ^Kl^^x 

u/^"T£ 0 £4>*Ij5)6 (arrangement) te, ^;U--7<7)^t)^^>/\'-CD=&^^S 

<D#gtLfcp<>M-#«JKAC L 1 2 0 rtT«r?*3£>T\ [r]±L/c^^ 

awr * c: t tfw e>frz*&z?o 

[004 1] 

7 7 ^-bX(7)^-l'7 p ^^-r^^yic, «P?#ttMAX I M U M A L L O W 

erAndGroups UXh^ACL 1 2 0rtOM(DlV h U-KS^VT 

[0 0 4 2] 
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<DS I D*^LT7 , ^-tX*WRTLLTl^*8 , T , fc, #K TuSE_FOR_ 
DEN Y_0 N L YJ £^-<7Ztltc 1 0*fc»*«BtOi— V-Sfctt^/I/-^ 

I D\,Z*7Vjl<7 hOACLF«g<Dx>h'j-i:ibR*n«o 
[0 0 4 3] 

J»*KJcJ:titf, 7^-tzX- h-*v«:i-1f-<0W8yfc«fctf:i--tf 

ft*. — AftlCs ~>a VOflHHttflHBEt^ M&tttteft/c^P-feXtf 

T^HzXT^U V-XKHILTs fc<fctf/£fctt, ^tf) h-?>#Cft6<2U 

IX 6 ftfcfcJPStti* h > KHilttW' S ft * RTCitttf* 
[0 0 44] 

fc?&Z> a US E FOR DEN Y O N L Yi^-^jftfc-lz+i Ur^f I 

Dti % 7 , ^^X*WRTt-*aW©fcA6lz:tta!iJRWtE^*ft*3B l , %<D-tZ*3-V 
I DKHILT TDENY J iVh'J-^tnACLH te^«hL 

T7^tX^?ft5o ^JchLTv $iJPI^h-^>1 2 4 (H9) ft^VU 
-^©■MriUx-f I DtfUSE_FOR_DENY_ONLYi7--?^ 
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LTl^ACL 1 2 0&mTZ>*Z?~JjL? h 1 1 2^7 <7 -tzXL£ ? tUft-fct 
I Dlc<fcoT7'^-tzX^#75:^n«^e75:l^<!:tJ:75:^ 0 LfrU ACL80# 

w^ntc^ ^^(Dy<7i/ 3 yizmLz ^11-^2^0 e n y^ltux hut 
tc a^^) e -r t 7 * ^ x & rt * n& i\ 

[0 0 4 5] 

ctitt^-/^^ ZL-+f-$fct*^VU-y^iL-+f-£DP^-i/a Vtca^ 

%>?>o 0 l.ttt&^frs I P7 7 KUX§5HteJ.-H/-<7>n^- ->a>KS^T 
* 7c£*J2; □ -£;!/• ^i/y\^LTl^li^ffllIU^/UO, Oh^-. 

U S E F O R D E N Y_0 N LYi?-^^ 

[0 0 4 6] 

-?U>y hj s I D s r«|ffij s I D N fccfcTj r^HMj S I D^tsM^(DT 

ZL-+f-X7bMfHU^U0T^o/i:Jt^ J.—*f-X<Dmm<D h-tyftfemZ 

h'^">-^U7hSIDtt, =L-+f-X(DT<7-tX • h-^XDtfT'U S E 
_F0R_DENY_0NLY<!:T-'i7T*-n^ 0 [W|*^tC x -fl$SU^;U2 T^x h 
7^ • ~>-<7lsV hS I DfeitfffiS I DOI^USE_FOR_DENY 
_ON L Yt^-<7-£tls —Ids U^7U3TWu h V 7 • 5/—'. > U l > h S I D. 
»S I D23£Zr&mmS I DtfUSE_FOR_DENY_ONLYi7-^ 
?n« 0 -tr+aUT 1 ^ I D 1&—%$<D# ~?~J i^h^ACL^ THi r DE NYj <!: 
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l/*C£lca*«!rnfct\ ^ZlZ. H<D\J S E FOR DE N Y O N L Y-fc^ 

[0 0 4 7] 

h-?>%: : g-?%3-— i f-lZ. IL— +f-^P-7J7U • ^5/V6 OlCfijgjgfltSft 
[0 0 4 8] 

=lVt* i Dits yp-tx, 'jy-XK^^Wf^^ GU I Dfcffi 

Pgtt^-fe+ngT 1 ^ I D£^tri§^ *<Dh-<7>temn<D7<7-£X • ^x>y 
C£WJIBtt£-fe*:i l J^<f I Dtt^i^h©ACLrt©IVh 
U-lcWLTibR*n«o LfcftbL fc^tfMtt* S I D14 TraSj «• 
»J£U EtUCfcoT* hcDAC L# TRASj x> MJ -£*iL£ 

[0 0 4 9] 

H9raTrnfc«fc5tJ:. ftJPStt^-tr+aUT 1 ^ I Dl4#JI®tt*h-*V1 2 4 
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[0 0 5 0] 

[005 1] 
[312] 
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o 



®AS:»f V^t, USE FOR DENY O N L Y If y hSr 



[0 0 5 2] 

gt#£> h-*Vfr6fMBBtt# h-^VfcfMBr^fc&U:. NtFi I terT 

(api) tum&ztu *<Dmm&k<Dtteve&z>o 

[0 0 5 3] 

[313] 

NTSTATUS 

NtFi IterToken ( 

IN HANDLE ExistingTokenHandle. 

IN ULONG Flags. 

IN PT0KEN_GR0UP SideToDi sable OPTIONAL, 
IN PTOKEN_PRIVILEGS Pr ivi legeToDelete OPTIONAL, 
IN PT0KEN_GR0UP Rest r icti ngS ids OPTIONAL, 
OUT PHANDLE NewTokenHandle 

); 



[0 0 5 4] 

NtFi I terToken A P I CreateRestricted 
Token tZttWontcW i n 3 2 API ©T?5y ^Jtlv Create 
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Restr ictedToke n<Dftmi£$l(Dt2S'')V$>% a 
[0 0 5 5] 
[S4] 

WINADVAPI ~ 
BOOL 

APIENTRY 

CreateRestrictedToken ( 

IN HANDLE ExistingTokenHandle, 

IN DWORD Flags, 

IN DWORD DisableSidCount, 

IN PS I D_AND_ATTRIBUTES SidsToDisable OPTIONAL, 
IN DWORD DeletePrivilegeCount, 

IN PLUID_AND_ATTRIBUTES PrivilegesToDelete OPTIONAL/ 
IN DWORD RestrictedSidCount, 

IN PSID_AND_ATTRIBUTES SidsToRestrict OPTIONAL, 
OUT PHANDLE NewTokenHandle 

) ; 



[0 0 5 6] 

08fcJ:tmi1 0~1 Wzm7ji-$tltc£?lC, £ft6<DAP I 1 2 6te±t|W]L 

zmmu mmzT^mmteLv&Bst&o} v-?y i oo£<ttK &mzntc 
xzyxizMTzmmmz^tsmmtti* v-txDmm.it. p a r e n t t o 

kenld. Rest r i ctedS i dCount, iS^TlR e s t r i c t 
edS i d s(D3 0(&*ffLl ,k 7-<-/UK£$t> (&©«T±^T5*S*lTV*) 

o 

[0 0 5 7] 
[315] 
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Typedef struct _TOKEN { 



TOKEN SOURCE TokenSource; 


// 


Ro: 


16-Bytes 




LUID Tokenld; 


// 


Ro: 


8- 


-Bytes 




LUID Authentications ; 


If 


Ro : 


8- 


-Bytes 




XXJTD PaxentTok^nld ; 


// 


Ro: 


8- 


-Bytes 




LARGE^INTEGER ExpirationTime; 


// 


Ro : 


8 


-Bytes 




LUID Modifiedld; 


// 


Wr : 


8- 


-Bytes 




ULONG UserAndGroupCount ; 


// 


Ro : 


4- 


-Bytes 




uJUMMO Kss Qriotoasiuuouriu ; 


If 


T> ,-s > 

RO . 


4 


-Bytes 




ULONG PrivilegeCount; 


// 


Ro : 


4< 


-Bytes 




ULONG VariableLength; 


// 


Ro: 


4 


-Bytes 








KO ; 


4- 


-Bytes 




ULONG DynamicAvailable; 


// 


Wr : 


4- 


-Bytes 


(Mod) 


ULONG Def aultOwnerlndex; 


// 


Wr: 


4- 


-Bytes 


(Mod) 


PSIDJRND_ATTRIBUTES UserAndGroups; 


// 


Wr: 


4^ 


-Bytes 


(Mod) 


PSID_AND__ATTRIBUTES RestrictedSids ; 


// 


Ro: 


4 -Bytes 




PSID PrimaryGroup; 


// 


Wr : 


4- 


-Bytes 


(Mod) 


P LU I D_AND_ATT RI BUT E S Privileges; 


// 


Wr : 


4- 


-Bytes 


(Mod) 


PULONG DynamicPart; 


// 


Wr : 


4- 


-Bytes 


(Mod) 


PACL DefaultDacl; 


// 


Wr: 


4- 


-Bytes 


(Mod) 


TOKEN TYPE TokenType; 


// 


Ro: 


1- 


-Byte 





[0 0 5 8] 
[316] 



SECURITY_IMPERSONATIONJLEVEL 










ImpersonationLevel; 


// 


Ro : 


1- 


-Byte 


UCHAR TokenFlags; 


// 


Ro: 


4- 


-Bytes 


BOOLEAN TokenlnUse; 


// 


Wr: 


1- 


-Byte 


PSECURITY JTOKEN_PROXY_DATA Pr oxyDa t a ; 


// 


Ro: 


4- 


-Bytes 


PSECURITY T 0KEN_AUD I T _DAT A AuditData; 


// 


Ro : 


4- 


-Bytes 


ULONG VariablePart; 


// 


Wr: 


4- 


-Bytes (Mod) 


} TOKEN, * PT0KEN; 











[0 0 5 9] 

mn<D mmteLO) h-^^CreateToken AP I^LTfF 
m-£tl2>ti*s RestrictedSid s y^f—lU Kti P a r e n t To k 
en I d7-f-J\/F i t>&l*&Z>Z:£lZ : £m&tircl\ 
[0 0 6 0] 

te&X$/Hitc\t\t}7<<-l\> K©1tffl*#5 CreateRestr i cted 
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Token API «PftfttiU £tU*N tF i I terToken AP 
M&fcjgghTZo mi O^T-yyi 0 0 O^&KtjVT <£3K x N t F i It 
erToken APIteU DISABLE_MAX_SIDS tZtttfZtlfc 

y^vtfmmznz^zfrti^fr&rjLvv-rZe z.<D7^?it. StLl\ fans 

tt*h-^>1 2 4<75^tC^^^;l/-7 P tC^LT-r^TO-b+rLg7 1 'i' I D#U 
S E F O R D E N Y_0 N L Y ^-^SftTl^&W-fttf&efcl/'C 

So ^^Wsft^TSftlT^SJ*^ Xf77l OOOtiX^v^l 0 0 2tc#ilft 
U 7x7^1 002WU^h-^>1 2 4fl0^b-7"t*2 , Jf-r I 
DOD^tEO^Ts U S E_F O R D E N Y_0 N L YfcaVT fcf y h 

[006 1] 

D I S A B L E M AX S I D S 77^t Jm^S^lps TsTVZf 

1 0 0 014X77^1 0 0 4lC$JllgU NtFi I terToken API© 
SidsToDisabl e /U KrtlC-b+a U I D^WJlcUX 
nT^*3b x ^3A x *^X ht^o HI1 0OXr7^1 0 0 4^n/c<fc9^ 
tf^a VCDS i dsToDi sab I eA^]7<-il/ Kfi^atS^f, X7 1 
7^1 0 0 6T1i, ^CK'JX hStU £7cs «ih-^>1 0 0<DU s e r A n 
dGroup s 7^-/1/ K1 0 2ftlz$>&&T%&1S;<D-£*=LijT'< I Dtes Iff 
LlM&IRBtt* I — 1 y 1 24(DUserAndGroups7-f — JU K 1 2 8 F*g 
T'U S E F O R D E N Y_0 N L Y i: LTWJ[C7-7?n5o ±fB©<£? 

t^X&^vJTZtz&lZtefemTZT. -fete, ^«k^6SUI^*fcl±^pimc 

D «U NtFi I terToken API 1 260S i dsToD i sab I 
eA^7<-;UKrt^^;l/-y 2 -fe^^ l >'7 1 < I D*ffij£-T* Cilery, SlIRB 
frf^ h-? V 1 2 4|*|T U S E F O R D E N Y_0 N L Y t LT"7-***l 

3o 
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[0 0 6 2] 

7^/^- 7PtxiioL^-ii ocDXx^yi o i oizm^s ££TH4D I 

SABL E_MAX_PR I V I L EDGES W5nfc77^7 : 7 
tt£ 0 Z(D7^7immiZ s «fLt\ »ft^h-7V1 2 4 fcOT^TGH** 

cfcatC^^n/cH^s 0 1 OttXxvyi 0 1 2K#il£U 777 

7101 2Ttt«rL^h-^V1 2 4^6-T^TcD^^iJ^tl^o 
[0 0 6 3] 

^^WtS^^nTl^t^^ X7771 0 1 OliX7>y7°1 0 1 4K#lfi 
U ZZTHitf^i/aXDP r i v i I egesToDe I e t e7-r— /l/Ktf 
mm-£ft% 0 NtFi I terToken API12 6 jBWfttfc<!:*fc^£ 

(DV-?y\ 0 0(Dlf«l7-f-;l/Kl 0 8lCfc#fiE-r^«3tO)^*ttts fcrLl^h 
-*>1 2 44M$K7'r-/l'K1 3 0^6iasUlcBUl»*tiSo ES^Wci 
TfcJu r#tt 2 j fr£ r#4t mJ £ LT^*tlfc#1t«^ NtFi I terTok 
en AP I 1 26©Pr i v i I egesToDe I et eA^]7^-/l/ KF*3 
lZZn<=><Dftm&&%.TZ>Z£lZ£-oT. ^fL^h-^>1 2 4£>#*f ^-yU 

Ki 3 o^esu^nTt^o ±iB<D<fc5Jc*«^©io©«B«»c<fctndr, 

1 1 CDXx^yi 0 2 0lCi<„ 
[0 0 6 4] 

f&JIBtt* h-?V1 2 4*f^ja-r*i:*lCs Xt771 0 2 0?R e s t r i 
c t i ngS i d sA737-r-/UKrtlCS I DtffffcLZWcW^ 

h-<7 £?MzmLT7kmtf't7fc>tlZ> a APU IsTokenRe 
strict edtfX777l 0 22Wai*tl, |jth-^><DR e s t r i 
ctingSids"7-r — /U (NtQuery I nformat i onTo 
ken API £*>LT) fS^LTCtl^N U L L ■?ftl/ k /> N £5fr*«K"r£C 
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Ktt#h Us APIliTRUE (M) 5Ito htim^V^r^ 
■otcm^ Sih-^Miii^tDh-^VTa&f AP IttFALSE (fc) £ST 

0 m<Z.Tv7"l 0 2 6ffctt1 0 2 8<Dfc#>Kx h-^>af*»*lWIBf*#T* 

33d:t» / ^7ct*USE_FOR_DENY_ONLY S I DST'£5^) t* 
[0 0 6 5] 

0 2 4TH*. S8h-*>#*UI«tt*T'fc*»£\ Xf7^1024 

iJf<ID7-f-/l/Kl 3 2KMfrtl3o ftllfitt^-fe+iL'JT 1 ^ I D 1$MJ5<D x ) 
t 1 ^ I D37-f-;UKl 3 2tc^e^^.-tr^zLij^-r I D£ilfln?-3£<>:£P.1±L 

£fc10©SiJIBtt*S I D£&TL^h-<7>rt<D^<0h-^yfr6SKy£3&£ 
[0 0 6 6] 

35*l/>«\ 3.7^71 0 2 4Tlih-^^ii^h-^>T««<!:*"JBT*ti 
fc*&v X7771 0 2 8T*rLl^ h— 2 4<DR e s t r i c t i n g S 

1 ds7-<-;l/Ki 3 2t*A737-r-;UKi*ilcgxh?n/ct ) otc^i*-n§ 0 

[0 0 6 7] 
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mmz. Xr-VZfl 0 3 OtH^T^ns CZlT-iTL^h-^VI 2 4F*g<DPa 
rentToken I d 9 3telfc£<0 (II) h — -frVOT o k e n I d tCl§:££ 

[0 0 6 8] 

mm i 2 ~ 1 4 *#fs LT*«^©»f^©w^iz:Bi« <tx in i 2 tca^n 

*agx<iB^ : ?F , g"etix acli 2 otifcic'jx h?n/cf <^*2Ut : 
Oj ttfW*5iy©*07 , ^-bX^I ! Fpr*tiT^«ci:*^U r WRj m:se&r 

y /S^&^T^-feX^U TSYNCj tef^bZ^Xtfl^^ftT^ 
£<h£/jVt 0 fft©*&J± rXJonesj A^pJ^n/c^U-^rtOy > 
^^^LTZ^-tX^Rl^tlTl^^rt, rxjonesj 

5>x*M 1 2^7<7-bx^IS^nTi^c«htJ:>±^5-n/ci\ ? e>tc N us 

gtttt6*l/cd<Z>h-*>1 2 4^-r^7 p P-feX9 4te\ C©X>h'J-tt r 
DENYj Crftfe-Sv US E_FOR_DENY_ONL Y) ^T-^ftT 

[0 0 6 9] 

W i n d ows N T*-^;UrtT*tK*n* 0 ^Wx* h 1 1 2'\<D7 7 ^-fc 
X^iit^*fci6tC, yp-bX1 3 4 x? h -T*5>>-1 1 4tC s T 7 ^ 

-bxA^ma^rnTi^^-^x^ h*Mgy-r3itffi*3<fca\ ^atm^T 7 *** 

1 1 4liC*UcjE£LT\ 4 0 2 tca^ftfccfc^U:, -b+i'Jf-fl 

f§1 1 8«hR^LT^U h-?>1 2 4F<gK UXh^nfc C/P-feX1 3 4 

fcWittW-snTV*) 3.-+f-j5*W;u-y . -fe+au^r I d^acli 
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2 ofocojiy \*v-ttiMLs pmoTt^xftVf^nz^frte^nz^ 

[0 0 7 0] 

Xr'y^l 4 1 4Tv 7 ^-tzX^fgS-r^o LfrU 4 0 4T7^-bX 

• ^ x >y ^ OIL - +f -gP^JJ ct tf^ U- :/^#<D*g Jiltfi* rI Rj#g& T 7 <7 -fe X 

TZo WLTL^l^ ia»POfS!liatt&<s JICTT'^-bX • fi'^««7 
Lv X7-yyi 4 1 2tciJl^T\ »f- • 7ftX*5«ktf^l/-^' 7 7 ^HzX 

ti£o LfrU X^y^l 406tc«feoTa3£*nfcJ:5^ h-*>«JPgtt 
^-tz+a Ux-f I D&dA/eitSflta* W?X7f^1 4 0 8fCcfc^Tx ft'JPS 
tt^-fe+n.'Jx'r I D5ACL 1 2 OWOIV h *J — t tlC&^>T. 
m2<D7?*>X • fi7^)[)Wn5 0 Xt^1 4 1 OT^0)ll2tD7 7 ^-b 

7141 2 TfFRT£ft3o *-3T>ftlN§^ 7 7 ^-bXtiX7 : >y7 p 1 4 1 4T*§5 

[007 1] 

mi 3Tmm$llZ7ji-?&olZ s V-iyi 2 4(D^zWRi^^=L , J : r^ I 
Dft&teTZtZltl^T^. 2g|tfxfr6&37 1 X ^ftzcD^olzmfi-ZtiZo 
h-?y\ 2 4F*gcD-fe*ii.U7 1 -i' I D&&X}pm<DT<7*l7. • hi 3 
7i>x^h1 1 2<D**D.VT*s3j& : f-lztjLZ*£m.?Z>C£iz < i:'DTs il^tf) 
J^-feX • h (bfy hCt©AND) *5<fctf*Jlfitt#-fc*:i U tV I DtDJ' 

3<fc?U:Z*HzX*afR7L&ttfttf£Sfcl\ *«^lCig«?TJ*ftt^±iB©«fe 

•pic ii^0D7 7 <7-bx • xx vftmrnK'ttti. TVttmwg-zntcm^zte 
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, *64St7 h-^VfclCAC L4)lg&SfflC— $aT2>lz* 

tt#S I DO^»©ffi«-^-r*J:3tcfflfiliU IIA OR GffiB A 

[0 0 7 2] 

Z.(D<S:?lzmi 2[Z7jkl*tltcfflTte, h-^>12 4 (7<-/l/Kl 3 2) ft 

*y~Jji'7 h<DAC L 1 2 Ortta*ttJS*"£f&IIBtt*S I Dtfftl^fctt, SI 2 
K,Tx?ftfc#JTH*x *?5>x*M 1 2'\<D7 7 ^-tzXteyP-lzX9 4^*^* 

T^^XT^fU^LTi^tfv 7°P-feX9 4«ACLF«gtc: r^v^-^y h 
•X^X^P-^J S I D (#DENY) «*t5*7*^i^ hOWC7^-t7 

[0 0 7 3] 

7***z©*^:7*fl^-r*ftfc>yu:* 5Wttf»s*tifeMAx i mum_ 

Ateft^CDT^-feX^irt^AC L 1 20^^*-^ •xyu-r^o frJITO* 

-tX*t<E>*-<X («»rT) it. m2<DmfilzMLTmm<D7<7-£7>£LTftfE2 
tU *2 0HtrJ4R estrictedSids UXh?fi7m. 

[0 0 7 4] 

7^-feX- h-^>^P^-->a>^S^fcS^WcD»tptc^o 
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-X^T^-feXLJ^^LTl^^P-feX (fc PV7 h • x>7-tr/b 

ZZttfTrZZo ffioT, fcc!:^^iL-+f-^-i'^py7 h • 7- ra*£< 

[0 0 7 5] 

SSI! 

nri^j;-5^, *n e n/c 2^ t^ssii (t&^ntlm) *^-r 

T'V h • IL— tf 2 0 0t*3.-+f- I D*$tJ|gaE2 0 2^-/^2 0 4lCjKttL 
, 2 0 4tt^? K*-T> ■ +J--M2 0 6 <t MflL TIL Bf^b 7* 

1 sizmzntc*?^ y-/K2 o 4te*<Dnm*<7 ^-ryy \* 2 0 21ZMU 
i=j ^ry h&iEL<i&&?z>m£iz. *<D=L—*f-immztiz>o 

[0 0 7 6] 

A/7P/W^2 1 0tCi:^TP^— >a>'lf$S2 0 8<b^^H±6.n, fflllg 
tt^h-^>2 1 2*itm?% 0 flJRBtt*h-*>2 1 2«\ ffift<D?^-1'7 7 y 
h • 7°P-trX2 1 6(7)fc46tC+t-/S:2 0 4 T^T^TtlT^^^yP-bX^gl^ 

[0 0 7 7] 

131 7fe<£0 : 1 8fc^£*l7cJ:-5UU Kerberos7P hP7l/£^trtfe<D 
sHH^P hUlU*>mrc*&W£mzmm?1*Zo K e r b e r o s 7°P h=Ul4C 
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